December 2008 Archives

In an interview with a British newspaper The Daily Telegraph, Andy Burnham, the UK Culture Secretary, said that the Internet could be given cinema-style age ratings as part of an international crackdown on offensive and harmful online activity. The interview offers several specific, but somewhat controversial, proposals that look likely to be implemented in the near future.   

Calling the Internet "quite a dangerous place," the Cabinet minister also said, "... I think we are having to revisit that stuff seriously now. It's true across the board in terms of content, harmful content, and copyright. Libel is [also] an emerging issue.... There is content that should just not be available to be viewed. That is my view. Absolutely categorical. This is not a campaign against free speech, far from it; it is simply there is a wider public interest at stake when it involves harm to other people. We have got to get better at defining where the public interest lies and being clear about it."

International cooperation is viewed as essential by the UK Culture Secretary, and the new Obama administration offers new opportunities. "The change of administration is a big moment. We have got a real opportunity to make common cause," he says. "The more we seek international solutions to this stuff - the UK and the US working together - the more that an international norm will set an industry norm."   

My view is that, despite the very negative reaction by those commenting on the article, several of the proposals mentioned by the Culture Secretary will be coming soon - probably in 2009. The question is whether Internet ratings will be voluntary. This interview offers a glimpse into what the current thinking is regarding Internet decency. As with other aspects of the Internet, the international challenges are immense, but UK experts are obviously working closely with their US counterparts on specific next steps.   

Web ratings would be a significant, and very controversial, development for the public sector and for society as a whole. All online content would need to be classified (similar to movies but in real-time at sites like YouTube). Opponents argue that any rating systems will be biased and flawed.

No doubt, the new technology and processes required by the masses would be overwhelming. There are great arguments against government intervention. Current laws around Internet piracy can't even be enforced. What new enforcement police will be put in place? What happens to rating violators? Who decides what's what? What about sites that cross into mutiple categories (like newspapers). Is this approach "big brother" from government? How can we monitor real-time blogs, health sites, or other content that falls into various shades of gray?

I agree that the obstacles are huge, and yet I (reluctantly) support aspects of Andy Burnham's position - with voluntary participation. The negative attacks are unfair and don't offer workable solutions. We can't keep doing the same things and expect different results online. We must provide mechanisms for families to surf their values and not let a minority of "bad actors" exploit the Internet. While it would be best if the technology tools existed now to maintain one's integrity online without government involvement, our problems are getting worse - not better. A few weeks back, I wrote about ISAlliance's newly proposed cyber security social contract, which would also help if implemented.   

What we need is easy-to-use technology to help move pragmatic proposals forward. No doubt, the big Internet players like Microsoft and Google are also involved in planning efforts. Proposals should start off with voluntary standards and extensive new training by ISPs. However, I agree with opponents that technology and legislation alone will not solve our Internet decency problems. We need to win the hearts and minds of the majority online. And yet, we also need to police the bad actors online. Setting appropriate standards (like speed limits on highways) is an important step.

If you want to learn more about this topic and detailed proposals, I recommend visiting The Family Online Safety Institute (FOSI).  While you're at it, visit the site that lists panel summaries from their recent FOSI conference.

What are your thoughts on web ratings?           

It's that time of the year again. The office slows down for a couple of weeks, and we think back at the good, bad, and ugly events that took place over the past year. This has certainly been a year that will be remembered by historians for the election of Barack Obama as President, the bailout of Wall Street and job losses for many industries - including technology companies and state and local governments.

But in the field of computer security, what will we remember about 2008? There are plenty of opinions available to us. From the Georgian cyberwar to Chinese cyberattacks to analysis regarding the effectiveness (or not) of the Payment Card Industry (PCI) standard, CIO Magazine offered their "Security Headlines from 2008: The Year in Review."     

After over a year of work, the Commission on Cyber Security for the 44th Presidency just issued their report earlier this month which outlines their views on what is currently good and bad in the nation regarding Internet security - as well as recommendation for the 2009 and beyond.

Other security magazines and organizations offer their own lists, but I want to take a stab at what I think was the biggest security trend for this past year. No doubt that the Cyber Coup in San Fran and Georgian cyber war were big stories, but I think 2008 will (unfortunately) be remembered as the year that (bad guy) hackers became even more professional and increased their advantage over network defenders. In reality, the numbers are pretty scary. 

 The Privacy Rights Clearing House keeps track of reported breaches, and we have almost reached 250 million in the USA since 2005. The reported numbers grow every year, largely do to legal requirements to report potential breaches to consumers.  No doubt, many of these records are lost or inadvertantly placed online by staff who should know better or make mistakes.

And yet, numerous reports in 2008 showed that the total number of infections, botnets and the spread of malware is increasing rapidly. Here's an excerpt from the Kaspersky Security Bulletin :

The first six months of 2008 confirmed the predictions we made at the end of last year about the evolution of malicious programs, namely:

• the continuing evolution of so-called Malware 2.0 technologies
• the evolution of rootkits
• the return of file viruses
• attacks on social networking sites
• threats for mobile devices

One of the most notable malicious programs during the first half of 2008 was, undoubtedly, the Storm worm (classified by Kaspersky Lab as Zhelatin). It remains in the vanguard of Malware 2.

Bottom line: we have a lot of work to do in 2009 and beyond. Defending government networks is becoming even more complex and difficult. I will talk about 2009 predictions in my next piece, but one area of growth is the outsourcing of security functions to companies that are able to keep up with the well-funded bad guys. 

What are your thoughts on 2008?  Are we better or worse off (as a nation or in your situation) than this time last year?   

Too many questions from too many people. The surveys just keep rolling into CIO and CISO mailboxes - along with those tempting offers. I must get at least five survey requests a week.

Does this sound familiar? "We'll enter you in our drawing for a free (something), if you fill out our 15 minute survey." Or have you seen this one, "The first 25 people to respond will get a $25 gift card to (somewhere)."  

 What do I do? I almost always delete them. You should to - unless you know who you're really dealing with and have a good reason to answer. Here's why:

 1) First, and most important, do you really know where your precious data is going? Many of these surveys come from marketing firms or companies that we have never heard of before. Even if the request supposedly comes from a reputable company, are you sure that they are the ones asking the questions? Better to be safe than sorry.

2) How is the information really going to be used? Most requestors claim that your information will remain anonymous and will not be tracked back to you. How do you know that this true? I know of examples where this was not the case. What assurances do you have?

3)  What information are they asking you to provide?  I've received surveys asking detailed questions about network architectures, the versions of security products we use, even the frequency of patch updates on firewalls or actual IP addresses implemented. We don't even give out some of this information to our own staff, why would I want to give this information away for a free cup of coffee? Might this request be coming from a hacker? Even if it isn't, could it be used by someone at that company who has less than good intentions?

4)  Is this just a marketing ploy to get your contact information? A few years ago, I filled out  a few surveys - only to receive phone calls from salespeople who asked about the data I had provided. When I answered any questions with a less-than-perfect response, I was "enlightened" into how their new product would solve all of my problems.

Once I asked, "What happened to the anonymity I was promised or the statement that the data was just going to be used in aggregate for determining national trends?" There was silence on the other end of the phone, along with a denial that anything wrong had happened.

5) Finally, might filling out the survey cause a conflict of interest? Government employees are not allowed to take gifts from vendors (above a nominal amount of say $10-$15.) Could that free game you receive for the survey be an ethical violation? Check out your government rules.

Before I end this piece, I want to add that some surveys are definately worth the time and attention. In Michigan, we take extra time and pay close attention to surveys from organizations like the National Association of State CIOs (NASCIO). For example, their Strategic Cyber Security Survey  provides valuable data from a trusted source. Other surveys from organziations like the FBI are worth the effort as well. I am not against all surveys, since we need the national data and overall metrics to improve.

I also fill out general information on a few selected magazine applications or other forms where I know where the data is going and how it is being used - but I am careful. In fact, our own Government Technology Magazine is a trusted source that should be taken seriously.  

Bottom line, when it comes to filling out security surveys coming by email from unknown sources, my advice hasn't changed in several years. Just say no. There are better uses of your time. 

What are your thoughts?     

Do you know everyone who is writing on your Facebook wall? Are you sure?

Reuters reported late last week that the "Destructive Koobface virus turns up on Facebook." This virus uses the social network's messaging system to infect PCs. Once infected, Koobface tries to gather sensitive information and phone "home."

Here's an excerpt from the article:

"Koobface spreads by sending notes to friends of someone whose PC has been infected. The messages, with subject headers like, 'You look just awesome in this new movie,' direct recipients to a website where they are asked to download what it claims is an update of Adobe Systems Inc's Flash player....

Facebook requires senders of messages within the network to be members and hides user data from people who do not have accounts, said Chris Boyd, a researcher with FaceTime Security Labs. Because of that, users tend to be far less suspicious of messages they receive in the network....

Privately held Facebook has told members to delete contaminated e-mails and has posted directions at http://www.facebook.com/security on how to clean infected computers."

It is no surprise that hackers are going where the information is available. In late 2008, that place is on social networks. My wife received this message on Facebook (on her home laptop) last week. She was fooled by the initial message, but not the download request.  

Attacks are constantly being refined and updated, and users need to constantly be on guard. For government enterprises, I recommend taking steps to ensure that you don't have any infections. A Google search on this topic yields plenty of help.

Has anyone seen Koobface inside their government networks?  Does this situation make you less likely to allow social networks like Facebook at work?